1) Get the TAC rpm on google based your linux architecture and install
[root@www ~]#rpm -ivh tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm
warning: tac_plus-4.0.4.26-1.el6.nux.x86_64.rpm: Header V4 RSA/SHA1 Signature, k ey ID 85c6cd8a: NOKEY
Preparing... ########################################### [100%]
package tac_plus-4.0.4.26-1.el6.nux.x86_64 is already installed
2) Edit config file
[root@www ~]# vi /etc/tac_plus.conf
key = "MYKEY"
accounting file = /var/log/tac.acct
# authentication users not appearing elsewhere via
# the file /etc/passwd
#default authentication = file /etc/passwd
acl = default {
#permit = 192\.168\.0\.
permit = 10\.255\.160\.7 <<<<< this is the IP I was to allow
}
# Example of host-specific configuration:
host = 10.255.160.7 {
prompt = "Enter your Unix username and password, Username: "
# Enable password for the router, generate a new one with tac_pwd
enable = des xb5MO66xiT93Q <<<< des + password generated with tac_pwd
}
# Group that is allowed to do most configuration on all interfaces etc.
group = sysadmin {
# group members who don't have their own login password will be
# looked up in /etc/passwd:
#login = file /etc/passwd
# or authenticated via PAM:
login = PAM
acl = default
# Needed for the router to make commands available to user (subject
# to authorization if so configured on the router
service = exec {
priv-lvl = 15
}
cmd = enable {
permit .*
}
cmd = show {
permit .*
}
cmd = exit {
permit .*
}
cmd = configure {
permit .*
}
cmd = interface {
permit FastEthernet.*
permit GigabitEthernet.*
}
cmd = switchport {
permit "access vlan.*"
permit "trunk encapsulation.*"
permit "mode.*"
permit "trunk allowed vlan.*"
}
cmd = description {
permit .*
}
cmd = no {
permit shutdown
}
}
user = joe {
login = cleartext MYpassword <<<< to put pwd in cleartext in config use "cleartext"
#member = sysadmin
member = admin
}
user = testuser {
default service = permit
login = PAM
member = admin
}
user = fred {
login = PAM
member = sysadmin
}
# User account configured for use with "rancid"
user = rancid {
# Generate a new password with tac_pwd
#login = des LXUxLCkFhGpwA
service = exec {
priv-lvl = 15
}
cmd = show { permit .* }
cmd = exit { permit .* }
cmd = dir { permit .* }
cmd = write { permit term }
}
# Global enable level 15 password, generate a new one with tac_pwd
user = $enab15$ {
login = des xb5MO66xiT93Q
}
#user = DEFAULT {
# login = PAM
#member = default
#}
***** AX config ( A10 load balancer config)
authorization commands 15 method tacplus
authentication type tacplus local
authentication console type tacplus local
authentication login privilege-mode
accounting exec start-stop tacplus
accounting commands 15 stop-only tacplus
tacacs-server host 10.255.161.55 secret secret-encrypted CtFNhJOqYs08EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn port 49 timeout 12
[root@www ~]# ssh joe@10.255.160.7
Password:
Last login: Sun Jun 21 03:11:07 2015 from 10.255.161.55
ACOS System is ready now.
[type ? for help]
AX02#
******************************** FREERADIUS *****************************
[root@www ~]# ls freeradius-*
freeradius-2.1.12-6.el6.x86_64.rpm
freeradius-mysql-2.1.12-6.el6.x86_64.rpm
freeradius-utils-2.1.12-6.el6.x86_64.rpm
[root@www ~]#
[root@www ~]# rpm -ivh freeradius-*
Preparing... ########################################### [100%]1:freeradius ########################################### [ 33%]
2:freeradius-mysql ########################################### [ 67%]
3:freeradius-utils ########################################### [100%]
[root@www ~]# service radiusd restart
Stopping radiusd: [ OK ]
Starting radiusd: [ OK ]
3) check whether ports are listening/open
[root@www ~]# netstat -nulp | grep radiu
udp 0 0 0.0.0.0:44946 0.0.0.0:* 19995/radiusd
udp 0 0 0.0.0.0:1812 0.0.0.0:* 19995/radiusd
udp 0 0 0.0.0.0:1813 0.0.0.0:* 19995/radiusd
udp 0 0 0.0.0.0:1814 0.0.0.0:* 19995/radiusd
udp 0 0 127.0.0.1:18120 0.0.0.0:* 19995/radiusd
**** Adding user
[root@www ~]# vi /etc/raddb/users
#"John Doe" Cleartext-Password := "hello"
siaka Cleartext-Password := "password"
**** testing server connectivity
[root@www ~]# radtest siaka password localhost 1812 testing123
Sending Access-Request of id 4 to 127.0.0.1 port 1812
User-Name = "siaka"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=4, length=20 ( this is good sign)
**** adding client
[root@www ~]# vi /etc/raddb/clients.conf
client 10.255.160.7 {
secret = testing123
}
[root@www ~]# service radiusd restart
Stopping radiusd: [ OK ]
Starting radiusd: [ OK ]
[root@www ~]#
******* A10 box config
AX02(config)#radius-server host 10.255.161.55 secret testing123
AX02(config)#authentication type radius local
AX02(config)#accounting exec start-stop radius
Last login: Sun Jun 21 20:50:23 2015 from 10.200.2.150
ACOS System is ready now.
[type ? for help]
AX02#
******* on A10 box
AX02#sh radius-server
Radius server : 10.255.161.55
contact start : 2
contact failed : 0
authentication success : 1
authentication failed : 0
authorization success : 1
****************************** other resources
https://networklessons.com/linux/how-to-install-tacacs-on-linux-centos/
No comments:
Post a Comment